Cybercriminals have recently launched yet another massive spam campaign attempting to trick e-banking users into thinking that their ability to process ACH transactions has been temporarily disabled. Upon clicking on the link found in the malicious email, users are exposed to the client-side exploits served by the Black Hole Exploit Kit.

Although we couldn’t reproduce the malicious exploitation taking place through bamanaco.ru and lentuiax.ru, we found out that, during the time of the attack, similar client-side exploit serving URls were also responding to the same IPs, leading us to the actual malicious payload found on two of these domains.

Responding to same IPs at the time of the attack were also the following malicious domains:hxxp://ganiopatia.ru:8080/forum/links/column.phphxxp://dimarikanko.ru/forum/links/column.php

Upon execution, it creates the following process in the system:%AppData%kb00121600.exe

It also creates the following Registry Keys:HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCFBDC89D4HKEY_CURRENT_USERSoftwareMicrosoftWindows NTS25BC2D7B

Next it also creates the following mutexes on the system:LocalXMM000004B8LocalXMI000004B8LocalXMRFB119394LocalXMM000000C8LocalXMI000000C8LocalXMM000000D4LocalXMI000000D4LocalXMM000000F0LocalXMI000000F0LocalXMM00000148LocalXMI00000148

It then phones back to 173.224.215.130/AJtw/UCygrDAA/Ud+asDAA (AS40676). The IP responds to beast.unixbsd.info – Email: abuse@psychz.net

Responding to the IPs of the client-side exploits serving domains – 82.165.193.26 (AS8560); 203.80.16.81 (AS24514); 216.24.196.66 (AS40676) – are also the following malicious/fraudulent domains:investinindia.ruferonialopam.rulemonadiom.rumonacofrm.rubamanaco.ruinvestomanio.ruveneziolo.rufanatiaono.rulentuiax.rulimonadiksec.rufionadix.ruforumibiza.ruinvestomanio.rugeforceexlusive.rufinitolaco.rumonacofrm.rulemonadiom.rupanasonicviva.rusonatanamore.ruveneziolo.rulinkrdin.runeighborhoodappraiser.comjpjay.co.ukfindlocalappraiser.com4egos.comneighborhoodappraisers.commusthavecentral.comfindaneighborhoodappraiser.comreputationangels.comfindneighborhoodappraiser.com

A huge percentage of these domains have been previously profiled in a series of malicious campaigns, indicating that these campaigns continue getting launched by the same cybercriminal/gang of cybercriminals.